When China’s new Cybersecurity Law takes effect on June 1, 2017, China will become another important jurisdiction to watch in the international data transfer space.
Before the new Cybersecurity Law officially was promulgated on November 7, 2016, cross-border data transfer of data from China was largely unregulated by the government. While many Chinese laws and regulations governed the collection, use and storage (including localization) of data, no binding laws or regulations contained generally applicable legal requirements or constraints on the transfer of data across Chinese borders.
Article 37 of the new Law, for the first time, expressly requires that operators of Critical Information Infrastructure (CII) store within China “citizens’ personal information and important data” collected or generated in the course of operations within the country. If transfers of data offshore are necessary for operational reasons, a security assessment must be conducted by designated agencies, unless otherwise regulated by laws and regulations.
Although there currently is a lack of specifics, the government is likely to devise a data transfer mechanism that relies on CII operators’ commitments or binding contractual obligations to allow companies to transfer personal information of Chinese citizens to other countries. It is possible that at least some elements of this mechanism will be comparable to the European Union’s (EU’s) Model Contracts and Binding Corporate Rules (BCR) or Asia-Pacific Economic Cooperation’s (APEC’s) Cross Border Privacy Rules (CBPR) system. For “important data” relating to China’s national security, the assessment will have to be made on a case-by-case basis.
Companies that transfer Chinese citizens’ data into and out of China on a regular basis can consider taking steps to comply with the potential Chinese requirements, even though we still lack official guidance from the agencies.
Covington’s Yan Luo explains in a EuroBiz article the changes proposed by the new Law and discusses potential data transfer compliance strategies that companies may wish to consider to comply with the new Chinese data transfer requirements. Read the full article here.